Cloud Armor That’s Not Quite So Fluffy

Blockchain-style ledgers can log changes to files stored online.

Tallinn, Estonia.

Photographer: Andrey Rudakov/Bloomberg

The tiny Baltic nation of Estonia is a strong contender for the title of most digital society. Its citizens can vote, file income taxes, check health records, and register a business in a matter of minutes, all from their living rooms. Skype was born there, as was the early file-sharing software Kazaa. So Estonia was a natural home for Guardtime, whose unique approach to cybersecurity is rooted in blockchain, the digital-ledger software underlying electronic currencies like bitcoin.

Guardtime developed its technology to address one of the risks that came with Estonia’s leap into e-governance, a newfound vulnerability to hackers and data loss. The company sees fresh opportunity in a similar transition that affects every government and most businesses: the move into the cloud.

The advantages of cloud computing come with a serious downside. Storing and managing data cheaply on remote servers means that, at the end of the day, users don’t fully control their own files. “There’s no ability to audit what’s going on, there’s no legal recourse when things go wrong, and they simply have to trust the cloud service provider,” says Guardtime Chief Executive Officer Mike Gault.

Whether you’re worried about a document stored on a cloud server or the software that makes a machine run, Guardtime’s technology fingerprints that data, creating 80-digit numeric strings to represent different parts of it. Its software then encrypts them into unique codes added to its blockchain. The encryption software runs simultaneously on a network of approved computers, which notice changes to the codes if anyone tries to access the data and can alert security staff.

Gault says it took even him about six months to fully understand Guardtime’s technology, but customers whose top priority is data security seem to get it. They include General Electric, defense contractor Lockheed Martin, and several government departments in Estonia, including the health agency, which maintains more than 1 million citizens’ records.

“My suspicion is that everybody’s going to have to do this over the next several years,” says Jason Hoffman, cloud chief at networking-equipment maker Ericsson, which uses Guardtime to monitor its cloud hardware and software. “It’s the digital equivalent of signing a contract and notarizing that signed contract, then registering that signed contract with the notary and your lawyer,” he says.

Guardtime was founded in 2007 after a cyber attack disabled Estonian government and business networks. The hack prompted Estonian cryptographers Ahto Buldas and Mart Saarepera to try securing government data with a digital time-stamping technique they’d developed. Saarepera talked Gault into quitting his job as a derivatives trader in Japan to help start Guardtime. They’d met in the 1990s, when Gault was studying quantum computing.

The employee-owned company has more than 100 people in Estonia’s two biggest cities, Tallinn and Tartu; Irvine, Calif.; and Amsterdam. Tim Fitzpatrick, president of the company, says customer contracts worth tens of millions of dollars in annual revenue cover Guardtime’s costs, but he declined to provide more financial specifics. Some users pay a few cents apiece for Guardtime to verify or monitor a small number of documents. On the high end is a custom system called Black Lantern, which can cost $10 million or more to set up for military clients and other complex jobs.

Blockchain-based systems can be gamed, too. The one underpinning digital currency Ethereum suffered a $60 million hack this year. Gault says such incidents are the fault of sloppy developers, not blockchain.

Careful development has helped Guardtime stand out in an increasingly crowded field, enough that the Defense Advanced Research Projects Agency (Darpa), the Pentagon’s research arm, has dedicated $1.8 million to putting the company’s system through its paces. Tim Booher, manager of Darpa’s Information Innovation Office, says the study is meant to mathematically prove Guardtime’s technology works as advertised, which could help persuade U.S. government customers to adopt it. He’s optimistic.

“They did their homework very carefully,” Booher says. “I haven’t found anyone else that uses this efficient of a construct and has the IT and demonstrated history of years of this working in a real government and at massive scale.”

The bottom line: Employee-owned Guardtime, whose software is rooted in blockchain, is the Pentagon’s early leader for cloud security.

    Before it's here, it's on the Bloomberg Terminal.